As part of the two-day Open SAMM Summit 2015 a full day is being allocated to software assurance practitioners and those who want to learn about using the vendor-neutral and free Open SAMM to help measure, build and maintain security throughout the software development lifecycle.

Open SAMM helps organisations formulate and implement a strategy for software security that is tailored to the specific risks facing the organisation. The resources provided by SAMM assist:

Evaluating an organisation's existing software security practices

Building a balanced software security programme in well-defined iterations

Demonstrating concrete improvements to a security assurance program

Defining and measuring security-related activities within an organisation.

There seems to be plenty activity in the project. Keep up-to-date by following or joining the mailing list.

The users day, on Friday 27th March, is a combination of presentations, workshops and round-table discussions to help explain the approach, to make best use of a maturity model, to show how SAMM is being used by other companies, and to describe some upcoming project initiatives. The user day runs from 08:00 for 09:00 hrs through to 17:00 hrs, and is followed in the evening by an optional social event. Attendance is limited to the first 40 people who register and costs 150 EUR + VAT (21%). Travel, accommodation, subsistence at your own cost.

The following day, the SAMM project team, and any other volunteers who want to participate, will be working on creating outputs for the project.

The primary focus of the Cyber Startup Summit is to promote innovation across cyber security. It intends to enable collaboration between enterprise security leaders, security startups, creative entrepreneurs, students and academics to discuss, connect and hack the hot topics within the world of cyber security. The summit comprises three events:

Secure Startup (Wednesday 28th morning) at IDEALondon, London EC2A 2BB
Talks/workshops for generic startups to better understand how to develop secure products, secure existing products and secure the business assets/IP/data.

Cyber Innovation (Wednesday 28th afternoon) at IDEALondon, London EC2A 2BB
Talks and security leader discussions on key topics discussing the now and future of cyber security innovation and how new cyber startups may have a part to play.

Hackathon (Thursday 29th and Friday 30th) at Campus London, London EC2A 4BX
A two day hackathon for developers, students and the security community so work on new ideas that will either create a cyber security product or a product that has security at core.

Day 1 - Thursday 29th January
09.00 Participants arrive (+breakfast)
09.30 Introduction & hackathon overview
10.00 Participants with current ideas given 1 minute to present them to everyone
11.00 Teams formed and the Hackathon begins.

The hackathon is dedicated to ideas for new security (or secure) products. Participants can utilise available resources to create new security prototypes. Mentors will be on site. The hackathon is free but booking is required.

WhiteHat Security has donated a getting started guide to the Open Web Application Security Project (OWASP).

To be successful, we should aim for a program that is more than simply testing sites and delivering results to stake holders. Those activities represent just two of the many inputs and outputs necessary to reduce the risk associated with web applications.

The Application Security Program Quick Start Guide provides information on setting up or improving a software development security initiative, and is now an OWASP project. It was created by Gabriel Gumbs,
Jeremiah Grossman,
Robert Hansen,
Jerry Hoff and
Matt Johansen. The guide is arranged in "5 days" of actions, which might be somewhat hopeful, but is a useful summary of what WhiteHat has found to work elsewhere.

SWAT 2014 (PDF) is a two-page large-format colourful poster combining a SWAT checklist with a What Works in Application Security chart.

The SWAP checklist groups its suggested best practices into the following areas: authentication, session management, access control, input and output handling, data protection, error handling and logging, configuration and operations. These are hopefully familiar; here are some similar categories elsewhere:

Leverage security features of frameworks and security libraries,Include security-specific requirements,Design and architect security in

So, a good overlap, albeit each of these has somewhat different intent. The SWAT best practices are cross-referenced to Common Weakness Enumeration (CWE) list of software weaknesses where applicable.

The What Works in Application Security part provides suggestions for application security programmes in four areas — govern, design, test and fix — showing how security needs to be built into multiple aspects of the software development lifecycle (SDLC).

In a month's time we will probably be in full office party season. I have been preparing something fun to share and use, that is an awareness document for application security risks and controls.

Snakes and Ladders is a popular board game, with ancient provenance imported into Great Britain from Asia by the 19th century. The original game showed the effects of good and evil, or virtues and vices. In this OWASP version, the virtuous behaviours (ladders) are secure coding practices and the vices (snakes) are application security risks. I have created two versions so far:

I created the game to use as an ice-breaker in application security training, but it potentially has wider appeal simply as a promotional hand-out, and maybe also more usefully as learning materials for younger coders. To cover all of that, I use the phrase "OWASP Snakes and Ladders is meant to be used by software programmers, big and small".

The game might be a useful transition from learning about the OWASP Top Ten Risks and before moving into the Top Ten Proactive Controls in a PCI DSS developer training session for example.

Snakes and Ladders Web Applications is available in German and Spanish, as well as in (British) English. Translations to Chinese, Dutch and Japanese are also in progress. The OWASP volunteers who are generously translating the text and performing proof reading are:

Manuel Lopez Arredondo

Tobias Gondrom

Martin Haslinger

Riotaro Okada

Ferdinand Vroom

Ivy Zhang

Print-ready PDFs have been published - these are poster sized A2 (international world-wide paper sizes). But the original files are Adobe Illustrator, so these are also available for anyone to use and improve upon. OWASP Snakes and Ladders is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar licence.

Just print out the sheet as large as you can make them. It is better to play using a real die and counters (markers), but you can cut out and make these from the paper sheet itself if you have scissor and glue skills.

You can also follow two mock games on Twitter which upload a position image every hour:

The chart detailing the most important guidance, standards, legislation and organisations that can influence mobile and web application development security and privacy in the UK has been comprehensively updated.

Principal Influences on UK Applications is managed by me and published on my company's web site as a mind map diagram and text tree, together with a change log. The primary sectors addressed are software applications in the retail, financial services, professional services, charitable, marketing, telecommunications and government sectors.

My focus for this chart is:

Mobile app and web application (web sites, web services) development

Guidance and standards

Regulators, regulation and legislation

Supporting organisations such as professional groups, trade bodies and academic institutions).

The chart can also be useful beyond the realms of application security and application privacy. For example, organisations implementing an information security management system (ISMS) needing to keep up-to-date with compliance requirements, and those seeking knowledge on wider information assurance (IA) aspects.

OWASP is again conducting the survey among senior information security leaders and managers and needs your help. The results will be published in the OWASP CISO Report 2014 which will be free to access and use. The project team has asked if we can share this invitation with security contacts in companies and other organisations.

Dear colleague,

The new OWASP CISO Survey 2014 will be closing soon. Hundreds of CISOs already shared their thoughts, but we need to broaden the data pool further to later be able to derive good regional analysis of the results.

So please help by forwarding to your chapters, sharing with your colleagues, and forwarding to the security managers within your organisations and peers!

As respected information security leaders in the industry, OWASP (Open Web Application Security Project, www.owasp.org) would like to hear your opinion and invite you to share this survey invitation with your security managers and/or peers.

OWASP is preparing the Global CISO report 2014 and conducting a survey among CISOs and senior information security managers in relation to application security with the aim of providing you with new insights about the state of application security across various industry sectors and about new security trends and aligning our efforts to better help solving the problems of the future that you face.

The survey shall take only a few minutes of your precious time and by completing it you are helping shape the future of Internet and software security. At the conclusion of the survey, the aggregated results will be publicly available in the form of a free report on the owasp.org website, keeping your information completely anonymous. (If you are interested, the published results of the last CISO Survey Report 2013 can be found https://www.owasp.org/index.php/OWASP_CISO_Survey).

As you may know, OWASP is a volunteer open-source organization dedicated to fighting the causes of software insecurity. We are also a registered charity & non-profit in the USA and the EU. See more at https://www.owasp.org/index.php/About_OWASP.

Early participants, before October-8 (23:59 GMT) [tomorrow!], can take part in a raffle. If you provide your contact details at the end of the survey, you will be entered into a drawing for one of the generously donated prizes. The Survey will finally close on October 31st.

Thank you very much in advance for your time and input.

Best regards,

Your OWASP Global CISO Survey & Report Project team

If you are a CISO, please complete the survey; otherwise please forward details to relevant contacts.

This week UK standards body BSI has joined the market for security trust marks and seals, by enlarging its range of kitemarks to include a new one for what it calls "secure digital transactions" involving web sites and mobile apps.

The BSI Kitemark for Secure Websites and Apps (or "BSI Kitemark for Secure Digital Transactions"), requires a website or app to undergo initial and ongoing checks, and if successful the organisation can display the kitemark on the application and related marketing materials.

The BSI kitemark originated as the British Standards Mark in 1903 for tramway rail dimensions. Having a BSI kitemark associated with a product or service confirms that it conforms to a particular BSI standard. In this case it is 27001 plus some defined technical verification, which one would have thought ought to be a control already defined in the 27001 implementation anyway.

The kitemark will be associated with a single web site (one hostname?) or single app, but the requirements cover both the organisation as well as the application:

Organisation

Achieve and maintain certification to the Information Security Management System Standard (ISO 27001) for the parts of the business that handle confidential data

Web site or app

Initial penetration test which "scans" for vulnerabilities and security flaws

Quarterly penetration tests, review of the results and actions taken.

The assessment sounds like there is no code review or requirement for building security in to multiple stages of the development lifecycle. And I wonder if the use of a kitemark on a mobile app also means the related web services and other systems involved with the transactions have also been assessed. I am also a little worried that the word "scan" is included in the same sentence as "penetration tests" — that doesn't sound right at all. It would be good to know what exactly is required, so consumers can be given more than marketing messages.

Furthermore apparently there are no checks for non-security compliance issues like data protection or marketing privacy. Consumers might expect those in a "secure application". I wonder if an application in-scope for PCI DSS can hold the kitemark but not be compliant with PCI DSS.

So although parts of the organisation that "handle confidential data" have to be ISO 27001 compliant, if the development part (or outsourced development part) does not handle confidential data, then perhaps that is out of scope?

The kitemark has been piloted in the banking industry, but BSI hopes its adoption will be much more widespread. BSI does not seem to have achieved the kitemark for its own web site (and nor does this blog!). My question is do we trust the scheme? More information is required.

Colin Watson (Clerkendweller) is a chartered information technology professional,
Certified Information Systems Security Professional (CISSP), Certified Secure Software Lifecycle Professional (CSSLP),
Payment Card Industry Professional (PCIP) and Certified Information Systems Auditor (CISA).
He works for Watson Hall Ltd,
based mainly in London.
The views expressed here are his own personal ones and do not represent the views of his employer,
professional association or other body he is associated with. More about...

Please read our
terms of use
and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your
organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Please read our terms of use
and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your
organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.